This post is a bit of a public service announcement, so I'll get right to the point:

Every time you use WiFi, ask yourself: could I be connecting to the Internet through a compromised router with malware?

It's becoming more and more common to see malware installed not at the server, desktop, laptop, or smartphone level, but at the router level. Routers have become quite capable, powerful little computers in their own right over the last 5 years, and that means they can, unfortunately, be harnessed to work against you.

I write about this because it recently happened to two people I know.

.@jchris A friend got hit by this on newly paved win8.1 computer. Downloaded Chrome, instantly infected with malware. Very spooky.

— not THE Damien Katz (@damienkatz) May 20, 2015

@codinghorror *no* idea and there’s almost ZERO info out there. Essentially malicious JS adware embedded in every in-app browser

— John O'Nolan (@JohnONolan) August 7, 2015

In both cases, they eventually determined the source of the problem was that the router they were connecting to the Internet through had been compromised.

This is way more evil genius than infecting a mere computer. If you can manage to systematically infect common home and business routers, you can potentially compromise every computer connected to them. that ever connects to the Internet through those routers, forever.

Hilarious meme images I am contractually obligated to add to each blog post aside, this is scary stuff and you should be scared.

Router malware is the ultimate man-in-the-middle attack. For all meaningful traffic sent through a compromised router that isn't HTTPS encrypted, it is 100% game over. The attacker will certainly be sending all that traffic somewhere they can sniff it for anything important: logins, passwords, credit card info, other personal or financial information. And they can direct you to phishing websites at will – if you think you're on the "real" login page for the banking site you use, think again.

Heck, even if you completely trust the person whose router you are using, they could be technically be doing this to you. But they probably aren't.

Probably.

In John's case, the attackers inserted annoying ads in all unencrypted web traffic, which is an obvious tell to a sophisticated user. But how exactly would the average user figure out where this junk is coming from (or worse, assume the regular web is just full of ad junk all the time), when even a technical guy like John – founder of the open source Ghost blogging software used on this very blog – was flummoxed?

But that's OK, we're smart users who would only access public WiFi using HTTPS websites, right? Sadly, even if the traffic is HTTPS encrypted, it can still be subverted! There's an extremely technical blow-by-blow analysis at Cryptostorm, but the TL;DR is this:

Compromised router answers DNS req for *.google.com to 3rd party with faked HTTPS cert, you download malware Chrome. Game over.

HTTPS certificate shenanigans. DNS and BGP manipulation. Very hairy stuff.

How is this possible? Let's start with the weakest link, your router. Or more specifically, the programmers responsible for coding the admin interface to your router.

They must be terribly incompetent coders to let your router get compromised over the Internet, since one of the major selling points of a router is to act as a basic firewall layer between the Internet and you… right?

In their defense, that part of a router generally works as advertised. More commonly, you aren't being attacked from the hardened outside. You're being attacked from the soft, creamy inside.

That's right, the calls are coming from inside your house!

By that I mean you'll visit a malicious website that scripts your own browser to access the web-based admin pages of your router, and reset (or use the default) admin passwords to reconfigure it.

Nasty, isn't it? They attack from the inside using your own browser. But that's not the only way.

• Maybe you accidentally turned on remote administration, so your router can be modified from the outside.

• Maybe you left your router's admin passwords at default.

• Maybe there is a legitimate external exploit for your router and you're running a very old version of firmware.

• Maybe your ISP provided your router and made a security error in the configuration of the device.

In addition to being kind of terrifying, this does not bode well for the Internet of Things.

Internet of Compromised Things, more like.

OK, so what can we do about this? There's no perfect answer; I think it has to be a defense in depth strategy.

Inside Your Home

Buy a new, quality router. You don't want a router that's years old and hasn't been updated. But on the other hand you also don't want something too new that hasn't been vetted for firmware and/or security issues in the real world.

Also, any router your ISP provides is going to be about as crappy and "recent" as the awful stereo system you get in a new car. So I say stick with well known consumer brands. There are some hardcore folks who think all consumer routers are trash, so YMMV.

I can recommend the Asus RT-AC87U – it did very well in the SmallNetBuilder tests, Asus is a respectable brand, it's been out a year, and for most people, this is probably an upgrade over what you currently have without being totally bleeding edge overkill. I know it is an upgrade for me.

(I am also eagerly awaiting Eero as a domestic best of breed device with amazing custom firmware, and have one pre-ordered, but it hasn't shipped yet.)

Download and install the latest firmware. Ideally, do this before connecting the device to the Internet. But if you connect and then immediately use the firmware auto-update feature, who am I to judge you.

Change the default admin passwords. Don't leave it at the documented defaults, because then it could be potentially scripted and accessed.

Turn off WPS. Turns out the Wi-Fi Protected Setup feature intended to make it "easy" to connect to a router by pressing a button or entering a PIN made it … a bit too easy. This is always on by default, so be sure to disable it.

Turn off uPNP. Since we're talking about attacks that come from "inside your house", uPNP offers zero protection as it has no method of authentication. If you need it for specific apps, you'll find out, and you can forward those ports manually as needed.

Make sure remote administration is turned off. I've never owned a router that ever had this on by default, but check just to be double plus sure. I suppose it never hurts to check.

For Wifi, turn on WPA2+AES and use a long, strong password. Again, I feel most modern routers get the defaults right these days, but just check. The password is your responsibility, and password strength matters tremendously for wireless security, so be sure to make it a long one – at least 20 characters with all the variability you can muster.

Pick a unique SSID. Default SSIDs just scream hack me, for I have all defaults and a clueless owner. And no, don't bother "hiding" your SSID, it's a waste of time.

Optional: use less congested channels for WiFi. The default is "auto", but you can sometimes get better performance by picking less used frequencies at the ends of the spectrum. As summarized by official ASUS support reps:

• Set 2.4 GHz channel bandwidth to 40 MHz, and change the control channel to 1, 6 or 11.

• Set 5 GHz channel bandwidth to 80 MHz, and change the control channel to 165 or 161.

Experts only: install an open source firmware. I discussed this a fair bit in Everyone Needs a Router, but you have to be very careful which router model you buy, and you'll probably need to stick with older models. There are several which are specifically sold to be friendly to open source firmware.

Outside Your Home

Well, this one is simple. Assume everything you do outside your home, on a remote network or over WiFi is being monitored by IBGs: Internet Bad Guys.

I know, kind of an oppressive way to voyage out into the world, but it's better to start out with a defensive mindset, because you could be connecting to anyone's compromised router or network out there.

But, good news. There are only two key things you need to remember once you're outside, facing down that fiery ball of hell in the sky and armies of IBGs. sky.

1. Never access anything but HTTPS websites.

   If it isn't available over HTTPS, don't go there!

   You might be OK with HTTP if you are not logging in to the website, just browsing it, but even then IBGs could inject malware in the page and potentially compromise your device. And never, ever enter anything over HTTP you aren't 100% comfortable with bad guys seeing and using against you somehow.

   We've made tremendous progress in HTTPS Everywhere over the last 5 years, and these days most major websites offer (or even better, force) HTTPS access. So if you just want to quickly check your GMail or Facebook or Twitter, you will be fine, because those services all force HTTPS.

2. If you must access non-HTTPS websites, or you are not sure, always use a VPN.

   A VPN encrypts all your traffic, so you no longer have to worry about using HTTPS. You do have to worry about whether or not you trust your VPN provider, but that's a much longer discussion than I want to get into right now.

   It's a good idea to pick a go-to VPN provider so you have one ready and get used to how it works over time. Initially it will feel like a bunch of extra work, and it kinda is, but if you care about your security an encrypt-everything VPN is bedrock. And if this is bedrock. If you don't care about your security, well, why are you even reading this? for your sake I hope you only visit HTTPS websites, ever.

If it feels like these are both variants of the same rule, always strongly encrypt everything, you aren't wrong. That's the way things are headed heading . The math is as sound as it ever was – but unfortunately the people and devices, less so.

Be Safe Out There

Until We focus so much on "computer" security that, until I heard Damien's story and John's story, I had no idea it hadn't even occurred to me that router hardware could be such a huge point of compromise. I didn't realize that you could be innocently visiting a friend's house, and just because he happens to be the parent of three teenage boys and the owner of an old, unsecured router that you connect to via WiFi … your life will suddenly get a lot more complicated. And everyone else who connects to it.

As the amount of stuff we connect to the Internet grows, we have to understand that the Internet of Things is a bunch of those are tiny, powerful computers, too – and they need the same strong attention to security security and attention that our smartphones, laptops, and servers already enjoy. get.

Rick Reed in an upcoming talk in March titled That's 'Billion' with a 'B': Scaling to the next level at WhatsApp reveals some eye popping WhatsApp stats:

What has hundreds of nodes, thousands of cores, hundreds of terabytes of RAM, and hopes to serve the billions of smartphones that will soon be a reality around the globe? The Erlang/FreeBSD-based server infrastructure at WhatsApp. We've faced many challenges in meeting the ever-growing demand for our messaging services, but as we continue to push the envelope on size (>8000 cores) and speed (>70M Erlang messages per second) of our serving system.

But since we don’t have that talk yet, let’s take a look at a talk Rick Reed gave two years ago on WhatsApp: Scaling to Millions of Simultaneous Connections.

Having built a high performance messaging bus in C++ while at Yahoo, Rick Reed is not new to the world of high scalability architectures. The founders are also ex-Yahoo guys with not a little experience scaling systems. So WhatsApp comes by their scaling prowess honestly. And since they have a Big Hairy Audacious of Goal of being on every smartphone in the world, which could be as many as 5 billion phones in a few years, they’ll need to make the most of that experience.

Before we get to the facts, let’s digress for a moment on this absolutely fascinating conundrum: How can WhatsApp possibly be worth $19 billion to Facebook?

As a programmer if you ask me if WhatsApp is worth that much I’ll answer expletive no! It’s just sending stuff over a network. Get real. But I’m also the guy that thought we don’t need blogging platforms because how hard is it to remote login to your own server, edit the index.html file with vi, then write your post in HTML? It has taken quite a while for me to realize it’s not the code stupid, it’s getting all those users to love and use your product that is the hard part. You can’t buy love

What is it that makes WhatsApp so valuable? The technology? Ignore all those people who say they could write WhatsApp in a week with PHP. That’s simply not true. It is as we’ll see pretty cool technology. But certainly Facebook has sufficient chops to build WhatsApp if they wished.

Let’s look at features. We know WhatsApp is a no gimmicks (no ads, no gimmicks, no games) product with loyal users from across the world. It offers free texting in a cruel world where SMS charges can be abusive. As a sheltered American it has surprised me the most to see how many real people use WhatsApp to really stay in touch with family and friends. So when you get on WhatsApp it’s likely people you know are already on it, since everyone has a phone, which mitigates the empty social network problem. It is aggressively cross platform so everyone you know can use it and it will just work. It “just works” is a phrase often used. It is full featured (shared locations, video, audio, pictures, push-to-talk, voice-messages and photos, read receipt, group-chats, send messages via WiFi, and all can be done regardless of whether the recipient is online or not). It handles the display of native languages well. And using your cell number as identity and your contacts list as a social graph is diabolically simple. There’s no email verification, username and password, and no credit card number required. So it just works.

All impressive, but that can’t be worth $19 billion. Other products can compete on features.

Google wanted it is a possible reason. It’s a threat. It’s for the .99 cents a user. Facebook is just desperate. It’s for your phone book. It’s for the meta-data (even though WhatsApp keeps none).

It’s for the 450 million active users, with a user based growing at one million users a day, with a potential for a billion users. Facebook needs WhatApp for its next billion users. Certainly that must be part if it. And a cost of about $40 a user doesn’t seem unreasonable, especially with the bulk paid out in stock.  Facebook acquired Instagram for about $30 per user. A Twitter user is worth $110.

Benedict Evans makes a great case that Mobile is a 1+ trillion dollar business, WhatsApp is disrupting the SMS part of this industry, which globally has over $100 billion in revenue, by sending 18 billion SMS messages a day when the global SMS system only sends 20 billion SMS messages a day.  With a fundamental change in the transition from PCs to nearly universal smartphone adoption, the size of the opportunity is a much larger addressable market than where Facebook normally plays.

But Facebook has promised no ads and no interference, so where’s the win?

There’s the interesting development of business use over mobile. WhatsApp is used to create group conversations for project teams and venture capitalists carry out deal flow conversations over WhatsApp.

Instagram is used in Kuwait to sell sheep.

WeChat, a WhatsApp competitor, launched a taxi-cab hailing service in January. In the first month 21 million cabs were hailed.

With the future of e-commerce looking like it will be funneled through mobile messaging apps, it must be an e-commerce play?

It’s not just businesses using WhatsApp for applications that were once on the desktop or on the web. Police officers in Spain use WhatsApp to catch criminals. People in Italy use it to organize basketball games.

Commerce and other applications are jumping on to mobile for obvious reasons. Everyone has mobile and these messaging applications are powerful, free, and cheap to use. No longer do you need a desktop or a web application to get things done. A lot of functionality can be overlayed on a messaging app.

So messaging is a threat to Google and Facebook. The desktop is dead. The web is dying. Messaging + mobile is an entire ecosystem that sidesteps their channel.

Facebook needs to get into this market or become irrelevant?

With the move to mobile we are seeing deportalization of Facebook. The desktop web interface for Facebook is a portal style interface providing access to all the features made available by the backend. It’s big, complicated, and creaky. Who really loves the Facebook UI?

When Facebook moved to mobile they tried the portal approach and it didn’t work. So they are going with a strategy of smaller, more focussed, purpose built apps. Mobile first! There’s only so much you can do on a small screen. On mobile it’s easier to go find a special app than it is to find a menu buried deep within a complicated portal style application.

But Facebook is going one step further. They are not only creating purpose built apps, they are providing multiple competing apps that provide similar functionality and these apps may not even share a backend infrastructure. We see this with Messenger and WhatsApp, Instagram and Facebook’s photo app. Paper is an alternate interface to Facebook that provides very limited functionality, but it does what it does very well.

Conway's law may be operating here. The idea that “organizations which design systems ... are constrained to produce designs which are copies of the communication structures of these organizations.” With a monolithic backend infrastructure we get a Borg-like portal design. The move to mobile frees the organization from this way of thinking. If apps can be built that provide a view of just a slice of the Facebook infrastructure then apps can be built that don’t use Facebook’s infrastructure at all. And if they don't need Facebook's infrastructure then they are free not to be built by Facebook at all. So exactly what is Facebook then?

Facebook CEO Mark Zuckerberg has his own take, saying in a keynote presentation at the Mobile World Congress that Facebook's acquisition of WhatsApp was closely related to the Internet.org vision:

The idea is to develop a group of basic internet services that would be free of charge to use — “a 911 for the internet." These could be a social networking service like Facebook, a messaging service, maybe search and other things like weather. Providing a bundle of these free of charge to users will work like a gateway drug of sorts — users who may be able to afford data services and phones these days just don’t see the point of why they would pay for those data services. This would give them some context for why they are important, and that will lead them to paying for more services like this — or so the hope goes.

This is the long play, which is a game that having a huge reservoir of valuable stock allows you to play. 

Have we reached a conclusion? I don’t think so. It’s such a stunning dollar amount with such tenuous apparent immediate rewards, that the long term play explanation actually does make some sense. We are still in the very early days of mobile. Nobody knows what the future will look like, so it pays not try to force the future to look like your past. Facebook seems to be doing just that.

But enough of this. How do you support 450 million active users with only 32 engineers? Let’s find out...

Preface by Tim Ferriss

I’ve written about how I learned to speak, read, and write Japanese, Mandarin, and Spanish. I’ve also covered my experiments with German, Indonesian, Arabic, Norwegian, Turkish, and perhaps a dozen others.

There are only few language learners who dazzle me, and Benny Lewis is one of them.

This definitive guest post by Benny will teach you:

• How to speak your target language today.
• How to reach fluency and exceed it within a few months.
• How to pass yourself off as a native speaker.
• And finally, how to tackle multiple languages to become a “polyglot”—all within a few years, perhaps as little as 1-2.

It contains TONS of amazing resources I never even knew existed, including the best free apps and websites for becoming fluent in record time. Want to find a native speaker to help you for $5 per hour? Free resources and memory tricks? It’s all here.

This is a post you all requested, so I hope you enjoy it!

Enter Benny

You are either born with the language-learning gene, or you aren’t. Luck of the draw, right?  At least, that’s what most people believe.

In think you can stack the deck in your favor. Years ago, I was a language learning dud. The worst in my German class in school, only able to speak English into my twenties, and even after six entire months living in Spain, I could barely muster up the courage to ask where the bathroom was in Spanish.

But this is about the point when I had an epiphany, changed my approach, and then succeeded not only in learning Spanish, but in getting a C2 (Mastery) diploma from the Instituto Cervantes, working as a professional translator in the language, and even being interviewed on the radio in Spanish to give travel tips. Since then, I moved on to other languages, and I can now speak more than a dozen languages to varying degrees between conversational and mastery.

It turns out, there is no language-learning gene, but there are tools and tricks for faster learning…

As a “polyglot”—someone who speaks multiple languages—my world has opened up. I have gained access to people and places that I never otherwise could have reached. I’ve made friends on a train in China through Mandarin, discussed politics with a desert dweller in Egyptian Arabic, discovered the wonders of deaf culture through ASL, invited the (female) president of Ireland to dance in Irish (Gaeilge) and talked about it on live Irish radio, interviewed Peruvian fabric makers about how they work in Quechua, interpreted between Hungarian and Portuguese at a social event… and well, had an extremely interesting decade traveling the world.

Such wonderful experiences are well within the reach of many of you.

Since you may be starting from a similar position to where I was (monolingual adult, checkered history with language learning, no idea where to start other), I’m going to outline the tips that worked best for me as I went from zero to polyglot.

This very detailed post should give you everything you need to know.

So, let’s get started!

#1 – Learn the right words, the right way.

Starting a new language means learning new words. Lots of them.

Of course, many people cite a bad memory for learning new vocab, so they quit before even getting started.

But–here’s the key–you absolutely do not need to know all the words of a language to speak it (and in fact, you don’t know all the words of your mother tongue either).

As Tim pointed out in his own post on learning any language in 3 months, you can take advantage of the Pareto principle here, and realize that 20% of the effort you spend on acquiring new vocab could ultimately give you 80% comprehension in a language—for instance, in English just 300 words make up 65% of all written material. We use those words a lot, and that’s the case in every other language as well.

You can find pre-made flash card “decks” of these most frequent words (or words themed for a subject you are more likely to talk about) for studying on the Anki app (available for all computer platforms and smartphones) that you can download instantly. Good flashcard methods implement a spaced repetition system (SRS), which Anki automates. This means that rather than go through the same list of vocabulary in the same order every time, you see words at strategically spaced intervals, just before you would forget them.

Tim himself likes to use color-coded physical flashcards; some he purchases from Vis-Ed, others he makes himself. He showed me an example when I interviewed him about how he learns languages in the below video.

Though this entire video can give you great insight into Tim’s language learning approach, the part relevant to this point is at 27:40 (full transcript here).

)

#2 – Learn cognates: your friend in every single language.

Believe it or not, you already—right now—have a huge head start in your target language. With language learning you always know at least some words before you ever begin. Starting a language “from scratch” is essentially impossible because of the vast amount of words you know already through cognates.

Cognates are “true friends” of words you recognize from your native language that mean the same thing in another language.

For instance, Romance languages like French, Spanish, Portuguese, Italian, and others have many words in common with English. English initially “borrowed them” from the Norman conquest of England, which lasted several hundreds of years. Action, nation, precipitation, solution, frustration, tradition, communication, extinction, and thousands of other -tion words are spelled exactly the same in French, and you can quickly get used to the different pronunciation. Change that -tion to a -ción and you have the same words in Spanish. Italian is -zione and Portuguese is -ção.

Many languages also have words that share a common (Greek/Latin or other) root, which can be spelled slightly differently, but that you’d have to try hard not to recognize, such as exemple, hélicoptère (Fr), porto, capitano (Italian) astronomía, and Saturno (Spanish). German goes a step further and has many words from English’s past that it shares.

To find common words with the language you are learning, simply search for “[language name] cognates” or “[language name] English loan words” to see words they borrowed from us, and finally “[language name] words in English” to see words we borrowed from them.

That’s all well and good for European languages, but what about more distant ones?

Well, it turns out that even languages as different as Japanese can have heaps of very familiar vocabulary. To show you what I mean, have a listen to this song (to the tune of Animaniac’s “Nations of the World”), which is sung entirely in Japanese, and yet you should understand pretty much everything that I and the other Japanese learners are singing:

)

This is because many languages simply borrow English words and integrate them into the new language with altered pronunciation or stress.

So to make my life easy when I start learning a language, one of the first word lists I try to consume is a list of “cognates,” or “English loan words,” which can be found quickly for pretty much any language.

#3 – Interact in your language daily without traveling.

Another reason (or excuse, depending on how you look at it) people cite for not learning languages is that they can’t visit a country where it’s a native language.  No time, no money, etc.

Take it from me—there is nothing “in the air” in another country that will magically make you able to speak their language.  I’ve done a lot of experiments to prove this (e.g. becoming fluent in Arabic while living in Brazil).

I’ve met countless expats who lived abroad for years without learning the local language. Living abroad and being immersed is not the same thing. If you need to hear and use a language consistently to be immersed, can’t virtual immersion be just as effective? Of course. Technology makes it possible for immersion to come to you, and you don’t even have to buy a plane ticket.

To hear the language consistently spoken, you can check out TuneIn.com for a vast selection of live-streamed radio from your country of choice. The app (free) also has a list of streamed radio stations ordered by language.

To watch the language consistently, see what’s trending on Youtube in that country right now. Go to that country’s equivalent URL for Amazon or Ebay (amazon.es, amazon.fr, amazon.co.jp, etc.) and buy your favorite TV series dubbed in that language, or get a local equivalent by seeing what’s on the top charts. You may be able to save shipping costs if you can find one locally that includes dubbing in the appropriate language. Various news stations also have plenty of video content online in specific languages, such as France24, Deutsche Welle, CNN Español, and many others.

To read the language consistently, in addition to the news sites listed above, you can find cool blogs and other popular sites on Alexa’s ranking of top sites per country.

And if full-on immersion isn’t your thing yet, there’s even a plugin for Chrome that eases you into the language by translating some parts of the sites you normally read in English, to sprinkle the odd word into your otherwise English reading.

#4 – Skype today for daily spoken practice.

So you’ve been listening to, watching, and even reading in your target language—and all in the comfort of your own home. Now it’s time for the big one: speaking it live with a native.

One of my more controversial pieces of advice, but one that I absolutely insist on when I advise beginners, is that you must speak the language right away if your goals in the target language involve speaking it.

Most traditional approaches or language systems don’t work this way, and I think that’s where they let their students down.  I say, there are seven days in a week and “some day” is not one of them.

Here’s what I suggest instead:

Use the pointers I’ve given above to learn some basic vocabulary, and be aware of some words you already know. Do this for a few hours, and then set up an exchange with a native speaker—someone who has spoken that language their whole life. You only have to learn a little for your first conversation, but if you use it immediately, you’ll see what’s missing and can add on from there. You can’t study in isolation until you are vaguely “ready” for interaction.

In those first few hours, I’d recommend learning some pleasantries such as “Hello,” “Thank you,” “Could you repeat that?” or “I don’t understand,” many of which you will find listed out here for most languages.

But wait—where do you find a native speaker if you aren’t in the country that speaks that language?

No problem! Thousands of native speakers are ready and waiting for you to talk to them right now. You can get private lessons for peanuts by taking advantage of currency differences. My favorite site for finding natives is italki.com (connect with my profile here), where I’ve gotten both Chinese and Japanese one-on-one Skype-based lessons for just $5 an hour.

If you still think you wouldn’t be ready on day one, then consider this: starting on Skype allows you to ease yourself in gently by having another window (or application, like Word) open during your conversation, already loaded with key words that you can use for quick reference until you internalize them. You can even reference Google Translate or a dictionary for that language while you chat, so you can learn new words as you go, when you need them.

Is this “cheating”? No. The goal is to learn to be functional, not to imitate old traditional methods. I’ve used the above shortcuts myself, and after learning Polish for just one hour for a trip to Warsaw to speak at TEDx about language learning, I was able to hold up a conversation (incredibly basic as it was) in Polish for an entire half hour.

I consider that a win.

)

#5 – Save your money. The best resources are free.

Other than paying for the undivided attention of a native speaker, I don’t see why you’d need to spend hundreds of dollars on anything in language learning. I’ve tried Rosetta Stone myself and wasn’t impressed.

But there is great stuff out there. A wonderful and completely free course that keeps getting better is DuoLingo - which I highly recommend for its selection of European languages currently on offer, with more on the way. To really get you started on the many options available to help you learn your language without spending a penny, let me offer plenty of other (good) alternatives:

• The Foreign Service Institutes’ varied list of courses
• The Omniglot Intro to languages
• BBC languages’ intro to almost 40 different languages
• About’s language specific posts that explain particular aspects of languages well

You really do have plenty of options when it comes to free resources, so I suggest you try out several and see which ones work well for you. The aforementioned italki is great for language exchanges and lessons, but My Language Exchange and Interpals are two other options. You can take it offline and see about language related meet-ups in your city through The Polyglot Club, or the meet-ups pages on Couchsurfing, meetup.com, and Internations. These meet-ups are also great opportunities to meet an international crowd of fellow language learning enthusiasts, as well as native speakers of your target language, for practice.

But wait, there’s more. You can get further completely free language help on:

• The huge database on Forvo, to hear any word or small expression in many languages read aloud by a native of the language
• Rhinospike to make requests of specific phrases you’d like to hear pronounced by a native speaker. If you can’t find something on either of these sites, Google Translate has a text-to-speech option for many languages.
• Lang 8 to receive free written corrections.

The possibilities for free practice are endless.

#6 – Realize that adults are actually better language learners than kids.

Now that you’re armed with a ton of resources to get started, let’s tackle the biggest problem. Not grammar, not vocabulary, not a lack of resources, but handicapping misconceptions about your own learning potential.

The most common “I give up” misconception is: I’m too old to become fluent.

I’m glad to be the bearer of good news and tell you that research has confirmed that adults can be better language learners than kids. This study at the University of Haifa has found that under the right circumstances, adults show an intuition for unexplained grammar rules better than their younger counterparts. [Note from Tim: This is corroborated by the book In Other Words and work by Hakuta.]

Also, no study has ever shown any direct correlation between reduced language acquisition skill and increased age. There is only a general downward trend in language acquisition in adults, which is probably more dependent on environmental factors that can be changed (e.g. long job hours that crowd out study time). Something my friend Khatzumoto (alljapaneseallthetime.com) once said that I liked was, “Baby’s aren’t better language learners than you; they just have no escape routes.”

As adults, the good news is that we can emulate the immersion environment without having to travel, spend a lot of money, or revert back to childhood.

#7 – Expand your vocabulary with mnemonics.

Rote repetition isn’t enough.

And while it’s true that repeated exposure sometimes burns a word into your memory, it can be frustrating to forget a word that you’ve already heard a dozen times.

For this, I suggest coming up with mnemonics about your target word, which helps glue the word to your memory way more effectively. Basically, you tell yourself a funny, silly, or otherwise memorable story to associate with a particular word. You can come up with the mnemonic yourself, but a wonderful (and free) resource that I highly recommend is memrise.com.

For instance, let’s say you are learning Spanish and can’t seem to remember that “caber” means “to fit,” no matter how many times you see it. Why not come up with a clever association like the following one I found on Memrise:

This [caber -> cab, bear -> fitting a bear in a cab] association makes remembering the word a cinch.

It may sound like a lengthy process, but try it a few times, and you’ll quickly realize why it’s so effective. And you’ll only need to recall this hook a couple of times, and then you can ditch it when the word becomes a natural part of your ability to use the language quickly.

#8 – Embrace mistakes.

Over half of the planet speaks more than one language.

This means that monolingualism is a cultural, not a biological, consequence. So when adults (at least in the English speaking world) fail at language learning, it’s not because they don’t have the right genes or other such nonsense. It’s because the system they have used to learn languages is broken.

Traditional teaching methods treat language learning just like any other academic subject, based on an approach that has barely changed since the days when Charles Dickens was learning Latin. The differences between your native language (L1) and your target language (L2) are presented as vocabulary and grammar rules to memorize. The traditional idea: know them “all” and you know the language. It seems logical enough, right?

The problem is that you can’t ever truly “learn” a language, you get used to it. It’s not a thing that you know or don’t know; it’s a means of communication between human beings. Languages should not be acquired by rote alone—they need to be used.

The way you do this as a beginner is to use everything you do know with emphasis on communication rather than on perfection. This is the pivotal difference. Sure, you could wait until you are ready to say “Excuse me kind sir, could you direct me to the nearest bathroom?” but “Bathroom where?” actually conveys the same essential information, only removing superfluous pleasantries. You will be forgiven for this directness, because it’s always obvious that you are a learner.

Don’t worry about upsetting native speakers for being so “bold” as to speak to them in their own language.

One of the best things you can do in the initial stages is not to try to get everything perfect, but to embrace making mistakes. I go out of my way to make at least 200 mistakes a day! This way I know I am truly using and practicing the language.

[TIM: I actually view part of my role as that of comedian or court jester--to make native speakers chuckle at my Tarzan speak. If you make people smile, it will make you popular, which will make you enthusiastic to continue.]

#9 – Create SMART goals.

Another failing of most learning approaches is a poorly defined end-goal.

We tend to have New Year’s Resolutions along the lines of “Learn Spanish,” but how do you know when you’ve succeeded? If this is your goal, how can you know when you’ve reached it?

Vague end goals like this are endless pits (e.g. “I’m not ready yet, because I haven’t learned the entire language”).

S.M.A.R.T. goals on the other hand are Specific, Measurable, Attainable, Relevant, and Time-bound.

To start developing your SMART goal in a language, I highly recommend you become somewhat familiar with the European Common Framework that defines language levels. This framework provides you with a way of setting specific language goals and measuring your own progress.

In brief, A means beginner, B means intermediate, and C means advanced, and each level is broken up into lower (1) and upper (2) categories. So an upper beginner speaker is A2, and a lower advanced speaker is C1. As well as being Specific, these levels are absolutely Measurable because officially recognized institutions can test you on them and provide diplomas (no course enrollment necessary) in German, French, Spanish, Irish, and each other official European language. While the same scale is not used, you can also get tested in a similar way in Chinese and Japanese.

So what do you aim for? And what do words like “fluency” and “mastery” mean on a practical level?

I’ve talked to many people to try to pinpoint the never-agreed-upon understanding of “fluency,” and I’ve found that it tends to average out around the B2 level (upper intermediate). This effectively means that you have “social equivalency” with your native language, which means that you can live in your target language in social situations in much the same way that you would in your native language, such as casual chats with friends in a bar, asking what people did over the weekend, sharing your aspirations and relating to people.

Since we are being specific, it’s also important to point out that this does not require that you can work professionally in a language (in my case, as an engineer or public speaker, for instance). That would be mastery level (generally C2).

Though I’ve reached the C2 stage myself in French, Spanish and am close to it in other languages, realistically I only really need to be socially equivalent in a language I want to communicate in. I don’t need to work in other languages.  It’s essential that you keep your priorities clear to avoid frustration.  Most of the time, just target B2.

To make your specific goal Attainable, you can break it down further. For example, I’ve found that the fluency (B2) level can be achieved in a matter of months, as long as you are focused on the spoken aspect.

In phonetic languages (like most European ones), you can actually learn to read along with speaking, so you get this effectively for free. But realistically, we tend to write emails and text messages—not essays—on a day-to-day basis (unless you are a writer by trade, and you may not have those goals with your L2). Focusing on speaking and listening (and maybe reading) makes fluency in a few months much more realistic.

Finally, to make your project Time-bound, I highly recommend a short end-point of a few months.

Keeping it a year or more away is far too distant, and your plans may as well be unbound at that point. Three months has worked great for me, but 6 weeks or 4 months could be your ideal point. Pick a definite point in the not too distant future (summer vacation, your birthday, when a family member will visit), aim to reach your target by this time, and work your ass off to make it happen.

To help you be smarter with your goals, make sure to track your progress and use an app like Lift to track completing daily essential tasks.

You can join the Lift plan for language learning that I wrote for their users here.

#10 – Jump from Conversational (B1) to Mastery (C2).

The way I reach spoken fluency quickly is to get a hell of a lot of spoken practice.

From day one to day 90 (and beyond), I speak at least an hour a day in my L2, and my study time is tailored around the spoken sessions to make sure that my conversation is what’s improving—not just my “general language skills” through some vague list of words I may never use.

So, for instance, I may start a session by asking what my native friend or teacher did over the weekend, and tell them what I did. Then I will share something that is on my mind lately and attempt to express my opinion on it, or allow the native speaker to introduce a new topic. It’s important to take an active role and make sure you are having varied conversations. Have a list of topics you would like to discuss and bring them up (your hobbies, hopes for the future, dislikes, what you will do on your vacation etc.) and make sure the conversation is constantly progressing.

Lots of practice and study to improve those spoken sessions tends to get me to lower intermediate (B1) level, which means I can understand the other person speaking to me fine as long as they are willing to speak clearly and adjust to my level and mistakes. It’s a LOT of work, mind you! On typical learning days I can be filled with frustration or feel like my brain is melting when–in fact–I’m truly making a lot of progress.

But the work is totally worth it when you have your first successful conversation with a native speaker. You’ll be thrilled beyond belief.

To see what this B1 level looks like, check out these videos of me chatting to a native in Arabic (in person with my italki teacher!), and in Mandarin with my friend Yangyang about how she got into working as a TV show host:

)

)

At this level, I still make plenty of mistakes of course, but they don’t hinder communication too much.

But to get over that plateau of just “good enough,” this is the point where I tend to return to academic material and grammar books, to tidy up what I have. I find I understand the grammar much better once I’m already speaking the language. This approach really works for me, but there is no one best language-learning approach. For instance, Tim has had great success by grammatically deconstructing a language right from the start. Your approach will depend entirely on your personality.

After lots of exercises to tidy up my mistakes at the B1 level, I find that I can break into B2.

At the B2 stage you can really have fun in the language! You can socialize and have any typical conversation that you’d like.

To get into the mastery C1/C2 levels though, the requirements are very different. You’ll have to start reading newspapers, technical blog posts, or other articles that won’t exactly be “light reading.”

To get this high-level practice, I’ve subscribed to newspapers on my Kindle that I try to read every day from various major news outlets around the world. Here are the top newspapers in Europe, South America and Asia. After reading up on various topics, I like to get an experienced professional (and ideally pedantic) teacher to grill me on the topic, to force me out of my comfort zone, and make sure I’m using precisely the right words, rather than simply making myself understood.

To show you what a higher level looks like, here is a chat I had with my Quebec Couchsurfer about the fascinating cultural and linguistic differences between Quebec and France (I would have been at a C1 level at this stage):

)

Reaching the C2 level can be extremely difficult.

For instance, I sat a C2 exam in German, and managed to hold my ground for the oral component, when I had to talk about deforestation for ten minutes, but I failed the exam on the listening component, showing me that I needed to be focused and pay attention to complicated radio interviews or podcasts at that level if I wanted to pass the exam in future.

#11 – Learn to sound more native.

At C2, you are as good as a native speaker in how you can work and interact in the language, but you may still have an accent and make the odd mistake.

I have been mistaken for a native speaker of my L2 several times (in Spanish, French and Portuguese – including when I was still at the B2/fluent level), and I can say that it’s a lot less related to your language level, and more related to two other factors.

First, your accent/intonation

Accent is obvious; if you can’t roll your R in Spanish you will be recognized as a foreigner instantly.

Your tongue muscles are not set in their ways forever, and you can learn the very few new sounds that your L2 requires that you learn. Time with a native, a good Youtube video explaining the sounds, and practice for a few hours may be all that you need!

What is much more important, but often overlooked, is intonation—the pitch, rise, fall, and stress of your words. When I was writing my book, I interviewed fellow polyglot Luca who is very effective in adapting a convincing accent in his target languages. For this, intonation is pivotal.

Luca trains himself from the very start to mimic the musicality and rhythm of a language’s natives by visualizing the sentences. For instance, if you really listen to it, the word “France” sounds different in “I want to go to France” (downward intonation) and “France is a beautiful country (intonation raising upwards). When you repeat sentences in your L2, you have to mimic the musicality of them.

My own French teacher pointed out a mistake I was making along these same lines.

I was trying to raise my intonation before pauses, which is a feature of French that occurs much more frequently than in English, but I was overdoing it and applying it to the ends of sentences as well. This made my sentences sound incomplete, and when my teacher trained me to stop doing this, I was told that I sounded way more French.

You can make these changes by focusing on the sounds of a language rather than just on the words.

Truly listen to and and mimic audio from natives, have them correct your biggest mistakes and drill the mistakes out of you. I had an accent trainer show me how this worked, and I found out some fascinating differences between my own Irish accent and American accents in the process! To see for yourself how the process works, check out the second half of this post with Soundcloud samples.

Second, walk like an Egyptian

The second factor that influences whether or not you could be confused for a native speaker, involves working on your social and cultural integration. This is often overlooked, but has made a world of difference to me, even in my early stages of speaking several languages.

For instance, when I first arrived in Egypt with lower intermediate Egyptian Arabic, I was disheartened that most people would speak English to me (in Cairo) before I even had a chance for my Arabic to shine. It’s easy to say that I’m too white to ever be confused for an Egyptian, but there’s more to it than that.

They took one look at me, saw how foreign I obviously was, and this overshadowed what language I was actually speaking to them.

To get around this problem, I sat down at a busy pedestrian intersection with a pen and paper and made a note of everything that made Egyptian men about my age different from me. How they walked, how they used their hands, the clothing they wore, their facial expressions, the volume they’d speak at, how they’d groom themselves, and much more. I found that I needed to let some stubble grow out, ditch my bright light clothes for darker and heavy ones (despite the temperature), exchange my trainers for dull black shoes, ditch my hat (I never saw anyone with hats), walk much more confidently, and change my facial expressions.

The transformation was incredible! Every single person for the rest of my time in Egypt would start speaking to me in Arabic, including in touristy parts of town where they spoke excellent English and would be well used to spotting tourists. This transformation allowed me to walk from the Nile to the Pyramids without any hassle from touts and make the experience all about the fascinating people I met.

Try it yourself, and you’ll see what I mean—once you start paying attention, the physical social differences will become easy to spot.

You can observe people directly, or watch videos of natives you’d like to emulate from a target country. Really try to analyze everything that someone of your age and gender is doing, and see if you can mimic it next time you are speaking.

Imitation is, after all, the most sincere form of flattery!

#12 – Become a polyglot.

This post has been an extremely detailed look at starting off and trying to reach mastery in a foreign language (and even passing yourself off as a native of that country).

If your ultimate goal is to speak multiple languages, you can repeat this process over multiple times, but I highly recommend you focus on one language at a time until you reach at least the intermediate level. Take each language one by one, until you reach a stage where you know you can confidently use it. And then you may just be ready for the next ones!

While you can do a lot in a few months, if you want to speak a language for the rest of your life it requires constant practice, improvement, and living your life through it as often as you can. But as good news, once you reach fluency in a language, it tends to stick with you pretty well.

Also, keep in mind that while the tips in this article are an excellent place to start, there is a huge community of “polyglots” online willing to offer you their own encouragement as well. A bunch of us came together in this remix, “Skype me Maybe.”

)

I share several more stories about these polyglots and dive into much greater detail about how to learn languages in my newly released book Fluent in 3 Months. Grab a copy, or check out my site for inspiration to start your adventure in becoming fluent in a new language—or several.

Ganbatte!

###

Question of the Day: What tools or approaches have you used for learning languages? Please share in the comments!

After all the angst that goes into getting developers and IT operations people on the same page — which is what the devops movement purports to do — is it too much to ask that they also consider security at the beginning of the process?

This is not an idle question in an age where organizations are increasingly paranoid about data leakage or outright theft.

Can security be baked into software?

To recap, devops is the notion of making developers work hand-in-glove with operations people to make sure whatever software gets built is actually deployable and easily updated. In the old model — still used in many companies — developers write chunks of code and throw them over the proverbial wall to operations people, considering their job done. That leads to lots of deployment issues.

In younger, nimbler companies, devops is becoming accepted — after many cultural hurdles were cleared — as the right way to build and develop software. That’s all well and good. But now, with increased focus on security, when you ask devops people if they factor in security from the get-go, the response is pretty much: “Um, nope.”

Photo from Thinkstock/Maxkabakov

That’s a problem. Jody Brazil, founder and CTO of FireMon, (a security management company) discussed this issue in a recent Devops.com blog post, where he wrote:

“It is interesting to note that in almost no definition of devops is the security process discussed as a key element. In some cases you will hear mention of improved security through consistent configuration management enabled through automation, but security teams are not at the devops table. Why is that?”

To be fair, let’s stipulate that one benefit of devops is that resulting software is more easily patched and updated. This is not a trivial point since one of the primary reasons for security failures is the use of old, unpatched software.

But having said that, even devops purveyors admit more can be done. As Nigel Kersten, CIO of Puppet Labs (see disclosure) put it:

” … automation and configuration management tools solve a lot of the same problems as traditional security solutions, but can actually solve problems of inconsistent and unapproved configurations rather than just diagnosing them. That being said, there are definitely roles for more security specific tools in a devops toolchain around governance and auditing output – but only when these tools can interface with the configuration management and automation layer.”

Rajat Bhargava, CEO of JumpCloud, a server management company, agreed that much is already being done in the devops process to batten down the hatches. Most companies that practice devops already focus more on their application and infrastructure architecture security, just not in the context of existing security vendor tools.

Modern developers who cut their teeth on Amazon Web Services already have this mindset. They pick and choose their cloud components with an eye on isolating their workloads as much as possible on a public cloud, for example. “Many use AWS VPC to create a virtual private cloud and then automate the creation and scaling of new servers so their architecture is already behind a firewall –per AWS security groups,” he said via email.

So … So…. who’s in charge?

Almost everyone seems to agree that security needs to be thought of at the beginning of the process the process and not tacked on at the end. But not everyone felt it should be the devops crew doing that.

That job should fall to the solutions architect, not devops, said Brian McCallion, founder of Bronze Drum Consulting, a New York IT consultancy. The solutions architect should spec out how network subnets in the VPC should be isolated, define privileges and set authentication. Then it’s up to devops to build from that blueprint, he said.

Unfortunately, things don’t always work out that way.

“Devops teams will make these choices on their own unless they are specifically required to build to a specific design. In my experience devops teams, including developers with root privileges, will ignore security concerns, or even if they attempt to address such concerns simply do not have the domain expertise,” he noted via email.

So we’re all in violent agreement: Security should be firmly in mind before applications and their infrastructure get built. The question then is who drives the process. Stay tuned.

Disclosure:Puppet Labs is backed by True Ventures, a venture capital firm that is an investor in the parent company of Gigaom.

Related research and analysis from Gigaom Research:
Subscriber content. Sign up for a free trial.

• How devops can reduce cycle times
• Continuous delivery and the world of devops
• Scaling Hadoop clusters: the role of cluster management
• Infrastructure Q1: Cloud and big data woo enterprises

(If you can’t see the embedded slides above, you can also download the PDF here)

A few months ago, I spoke to a group of entrepreneurs at Stanford whose seed stage companies were still struggling to get product/market fit. I wrote down a few thoughts on the topic and turned it into slides. It’s really an extended version of this essay from 2011, but incorporates some newer thinking based on stuff I’ve learned in the meantime.

Here’s some notes on the slides, to add some color:

• Traction is everything, but it’s a reflection of getting product/market fit
  • You can’t get growth and traction without nailing fit first
  • P/M fit is when people who know they want your product are happy with what you’re offering
  • Then you’re ready to shift your focus from product to distribution and win the market
• (Woz/Steve photo) This is why 20-something year olds often build awesome new companies in Silicon Valley- they make lots of stuff, hit product/market fit, and the capital/talent comes to help them scale
• P/M fit metrics for SaaS and consumer- but it’s good to look at other comparable products and see if you’re close
  • Consumer (non-commerce) P/M fit based on DAU/MAU, organic growth rates, D1 and D30 retention rates, etc.
  • SaaS based on conversion rates, CPA/LTV ratio, churn rates
• And if you have P/M fit, you should email me :) I can connect you with capital/people to help scale
• These days, most startups fail because of lack of P/M fit, not technology risk
• Product/market fit is actually easy to get
  • Everyone knows how to get P/M fit on a coffee cup
  • There’s not too many variables in designing a cup
  • However, digital products are complex and people take too much market and product risk
• Some heuristics on making P/M fit easier
  • Pre-existing product category
  • Large # of customers “pulling” for that product category
  • Successful competition
  • Clear axis of competition
  • Build for yourself
• One way to P/M fit. Just clone something
  • Lots of problems though- it’s uninspiring
  • Playing for #2
• More balanced approach is to innovate on 20%, ideally a core thing
• What happens after hitting P/M fit?
  • Summon the power of Silicon Valley!
  • Throw capital and people at the problem
  • Scaling distribution is about feedback loops- either with paid ads or viral loop or SEO loop